Lab 6 – LAN-to-WAN Domain

Lab 6 – LAN-to-WAN Domain

Lab 6.1a

The three STIGs discussed are Cisco Internetwork Operating System (IOS) STIG, Solaris 11 STIG, and Red Hat Enterprise Linux 7 STIG. The Cisco IOS STIG comprises instructions that can secure the Cisco IOS devices. Some rule settings encompassed within the set of instructions include but are not limited to data protection, auditing and monitoring, and infrastructure and communications monitoring (Kim & Solomon, 2021). The Solaris 11 STIG, on the other hand, is composed of guidance that secures Solaris 11 systems. The direction entails features and capabilities common to most Solaris 11 systems. These features include physical and environmental protection, authorization and access control, and system and information integrity. The last example of STIG for evaluation is the Red Hat Enterprise Linux 7 STIG, which offers guidance to enterprise Linux 7 systems (Kim & Solomon, 2021). The guidance includes rule settings for various features such as maintenance, infrastructure, communications protection, accounts, and authentication. Some of the DoD’s workstation hardening guidelines:

1. Enhance auditing.
2. Restricted access to privileged accounts.

• Encryption of sensitive data.

1. Installation of personal firewalls.
2. Configuration of security features in applications.
3. Lockdown of server consoles.

Lab 6.1b

Various risks, threats, and vulnerabilities are commonly found in the LAN-to-WAN domain. The first category of these risks is malicious code, also identified as Trojan horses. The Trojan horse is designed to damage the computer or gain unauthorized access for illegitimate control. The other threat is network sniffers that hackers may use to capture the traffic of a network and thereby illegally access usernames, passwords, and electronic mail. Furthermore, distributed attack tools are similar to sniffers but contain a wider scope and have the capability of affecting large numbers of computers on a network. Lastly, the denial of service tools also threatens the LAN-to-WAN domain by disrupting the accessibility of network resources such as servers and websites.

Five major system-hardening processes that can be adopted within the network infrastructure include;

• Server hardening
• Operating system hardening
• Software application hardening
• Network hardening

Lab 6.1c

Enclave Perimeter

• Enclave protection mechanisms: System resources within the security domain that share the protection of a single, common security perimeter.
• Network infrastructure diagram: A visual representation of a computer network composed of devices, routers, hubs, and firewalls.
• External connections: A form of connection between a contract computer facility and the computer facilities of other organizations, including contractors and consultants.
• Leased lines: Dedicated data connections with a fitted bandwidth. The lines necessitate connection to the internet in a secure, reliable, and highly efficient way.
• Approved gateway/internet service provider connectivity: A standardized interface that permits communication with modern technology solutions such as digital assistance or mobile payment.
• Backdoor connections: These are methods by which authorized or unauthorized users get around the security measures and acquire user access within the computer system.
• IPv4 address privacy: This contains additional information about a user, such as a birthdate or social security number. Hackers can easily impersonate someone online if they get access to these details.

Firewall

• Packet filters: Network security features that regulate the flow of incoming and outgoing network data.
• Bastion host: A server that offers a private network from an external network like the Internet.
• Stateful inspection: A firewall that tracks the sessions of network connections that pass through it.
• Firewalls with application awareness 
  • Deep packet inspection: This is a form of intensive filtering so that any non-compliance to protocol, spam, viruses, and intrusions are excluded from entering the network.
  • Application-proxy gateway: This proxy firewall offers network security by filtering the data transmitted over the network application.
  • Hybrid firewall technologies: Firewalls often consist of packet filtering combined with an application proxy firewall or a circuit gateway combined with an application proxy firewall.
• Dedicated proxy: This is an exclusive proxy used by a singer user or device. Users often settle on this proxy type if they intend to keep the same IP address longer.
• Layered firewall architecture: A firewall with various firewalls, such as the screening router with a packet filter, followed by a proxy firewall and a personal firewall for every host within the network.
• Content filtering: This is a process whereby the software or hardware component of the network restricts access to objectionable emails, webpages, and any other suspicious items. Most organizations often implement this measure to prevent employees from accessing social media platforms.
• Perimeter protection: This is the first line of defense that detects an intruder’s activities, such as vents, windows, or skylights. The major advantage of perimeter protection is that it is simple to design.
• Tunnels: Protocols permit secure data movement from one network to another.

Lab 6.1d

Non-registered or Unauthorized IP Addresses

Non-registered IP addresses are unexpected addresses that are not flagged by the OpenDNS IP layer enforcement solution. This traffic can be linked to routes set on the client side by the user and often indicates malicious activity that interferes with the device’s routing table (Kim & Solomon, 2021). In most cases/incidents, unauthorized IP addresses are brought about by a user trying to bypass the organization’s security system to gain access to the internet.

in-Band Mgt Not Configured To Timeout In 10 Min

The in-band management needs to be configured to time out in 10 minutes to reduce the level of protection offered to the critical network components. The IT professionals should review the management connection and have the network element configured to timeout the connection at ten minutes or less of inactivity to increase protection.

Exclusive Use of Privileged and Non-Privileged

Exclusive use of privileged accounts refers to a user account with more privileges than ordinary users. These exclusive use privileges may include installing or removing software and modifying or upgrading the operating system (Kim & Solomon, 2021). On the other hand, non-privileged accounts lack these privileges. In other words, their functionality could be much better.

Assign The Lowest Privilege Level To User Accounts

The lowest privilege level assigned to user accounts entails strictly limiting users’ access rights to information so they can perform their jobs.

Log All In-Band Management Access Attempts

This is a method of network management that permits actual management traffic to use the same path in communicating with various network nodes. However, this log of all in-band management access attempts can only be used in small-scale networks.

Lab 6.1e

A log or Syslog statement that only follows some deny statements makes it easier to identify configuration errors, fewer disruptions would be experienced with the troubleshooting service, and hardly the network would be scanned (Kim & Solomon, 2021). Syslog levels 0-6 are required for the system to collect relevant information to help recover.

The definition of a DNS server narrows down to DNS hostname and IP address mapping. These elements allow the user on the source host to access login, authentication, and other sensitive data.

When startup configurations are not synchronized, this problem causes the appearance of yellow lines on the hostname. This problem will prevent the system from restarting properly after the integrated change.

Lab 6.1f  

Some methods adopted for hardening Cisco firewalls include general control plane hardening, general data plane hardening, and general management plane hardening. The general control plane hardening involves the protection of the control plane to foster quick recovery of the stability of the network in the case of a security bridge. Conversely, general data plane hardening boasts network functionality by enhancing network features like IP options and, more specifically, the routing option (Kim & Solomon, 2021). Finally, the general management plane hardening entails securing critical features such as access and configuration that also aid in improving the control plane operations.

Lab 6.1g

1. Server hardening entails securing a server’s data, components, functions, and permissions using advanced measures at the hardware and software layers.
2. Database hardening involves securing both the digital and database management systems (DBMS). It encompasses three major processes: limiting user privileges, disabling unnecessary database functions, and securing database information.

• Network hardening is achieved by establishing an intrusion detection or prevention system.

Lab 6.1h

1. Patching and updating the operating system: The patching process entails correcting the OS by identifying vulnerabilities and mitigating and installing permanent fixes.
2. Configuring resource controls appropriately: Appropriate configuring of resource controls and intentional and unintentional security breaches can be reduced greatly.

• Removing unnecessary services and network protocols: Since a server’s effective running requires it to be on a single-purpose host, any applications, services, or network protocols that are not required should be removed or disabled.

Lab 6.2

Some of the top LAN-to-WAN domain risks, threats, and vulnerabilities are unauthorized access, unauthorized probing, and port scanning, as well as the local user downloading unknown file types from unknown sources. Unauthorized access occurs in the sense that third-party individuals can intrude into this domain (Johnson & Easttom, 2020). Unauthorized probing refers to a technique used by attackers to gather as much information as possible about a web application (Johnson & Easttom, 2020).

There are various mitigation measures that I would adopt to audit the LAN-to-WAN domain for compliance purposes. For the threat of unauthorized access, I would apply strict security monitoring controls to detect and prevent any intrusion activities. The probing and port scanning issue would be avoided by disabling these functionalities on all exterior IP devices within this domain framework (Johnson & Easttom, 2020). I will disallow the IP port numbers that hackers capitalize on for probing and scanning the organization’s system.

References

Johnson, R., & Easttom, C. (2020). Security policies and implementation issues. Jones & Bartlett Learning.

Kim, D., & Solomon, M. G. (2021). Fundamentals of information systems security. Jones & Bartlett Learning.

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

---

This homework assignment aims to learn how to audit the LAN-to-WAN domain. You will identify common risks, threats, and vulnerabilities in the LAN-to-WAN domain. You will assess common risks, threats, and vulnerabilities in the LAN-to-WAN domain and identify network and security policies needed to secure the LAN-to-WAN portion of the network infrastructure properly. You will audit and assess the implementation of security controls within the LAN-to-WAN domain and recommend LAN-to-WAN domain hardening solutions by implementing proper security controls at the Internet ingress/egress point within an IT infrastructure. You will use a text document to develop your homework assignment by completing the sections listed below: